Contact us accountability · Parliamentary Commission on Banking Standards. The Parliamentary...

Contact us

Individual accountability Global regulatory developments in fnancial services

July 2018

kpmg.com/individualaccountability

1

Contents 01 Introduction 2

02 The UK regime 3

03 Experience with the UK regime 6

04 UK next steps 10

05 The wider international context 12

06 How KPMG can help 16

© 2018 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member frms of the KPMG network of independent frms are affliated with KPMG International. KPMG International provides no client services. No member frm has any authority to obligate or bind KPMG International or any other member frm third parties, nor does KPMG International have any such authority to obligate or bind any member frm. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

01. Introduction

In recent years a number of regulators, including in the UK, have focused increasingly on individual accountability. Regulated frms are being required to identify senior managers, allocate responsibilities to these senior managers, draw together responsibility maps for the frm, and ensure that senior managers (and in some cases a wider range of staff) are ft and proper for their roles and meet conduct rules established by the regulator. Individual accountability is now a global concept and is becoming a regulatory focus area around the world – as, for example, in Australia (the Banking Executive Accountability Regime), Hong Kong (the Manager-in-Charge regime), Singapore (proposed guidelines on individual accountability and conduct), the UK (the Senior Managers and Certifcation Regime, which is being rolled out to almost all regulated frms), the US (the latest guidance on the management of business lines and risk management), and in the Financial Stability Board’s work on governance and misconduct. More countries are likely to follow suit over the coming years.

This increasing focus on individual accountability has been driven by three main factors. First, to constrain excessive credit and market risk taking, in particular by banks, through a focus on both heads of business lines and heads of control functions such as compliance, risk management and internal audit.

Second, together with the greater emphasis on culture, to mitigate retail and wholesale misconduct risks through a focus on conduct standards and on senior managers taking reasonable steps to prevent regulatory breaches in the areas for which they are responsible. This is also part of a wider focus of both regulators and fnancial institutions to restore trust in the fnancial sector.

Third, to hold individual senior managers to account (including through lower remuneration and disciplinary actions) when regulatory breaches and other failures do occur.

Firms have taken the shift to greater individual accountability seriously, perhaps not least because of the potential consequences on individual senior managers of a failure to do so. Some frms have undertaken large-scale reviews and updates of governance structures, management reporting structures, individual responsibilities, governance maps, and management information.


2

02. The UK Regime

The UK’s Senior Managers and Certifcation Regime (SMCR) emerged from recommendations made in 2013 by the Parliamentary Commission on Banking Standards.

The Parliamentary Commission on Banking Standards was established in response to the fnancial crisis of 2007-2009, repeated episodes of mis-selling to retail consumers, and the manipulation of LIBOR. The Commission concluded that the “approved persons” regime in place during these events was inadequate because meaningful responsibilities were not attributed to anyone, so it was not possible to hold individual senior managers to account (including taking enforcement action against them) for their roles in these failures.

Among the Commission’s many recommendations was the replacement of the approved persons regime with a new Senior Managers Regime, to ensure that the most important responsibilities within banks are assigned to specifc senior individuals so they can be held fully accountable for their decisions and the standards of their banks in these areas. The Commission also recommended that banks should verify the ftness and propriety of their staff, and that staff should follow a new set of Banking Standards Rules.

These recommendations resulted in the SMCR for banks, building societies and major investment frms, and the Senior Insurance Managers Regime (SIMR) for insurers (initially, no certifcation regime was put in place for insurers), in both cases with effect from March 2016. A full SMCR will be extended to insurers from 10 December 2018 and to almost all regulated frms in the UK from 9 December 2019 (see Chapter 04).

Senior managers The key objective of the senior management element of the SMCR is to focus accountability on a small number of senior individuals, by specifying which senior managers are covered by the regime, what they are responsible for, and the steps they need to take to prevent a regulatory breach occurring in the area of the business for which they have responsibility.

Senior management roles covered by the SMCR are specifed in the table opposite (page 5). The FCA coverage is slightly wider than the PRA’s, refecting the FCA’s mandate for conduct of business and anti-money laundering.


3

Senior manager roles covered by the SMCR for banks

PRA population of senior managers

Chair of the board

Chairs of risk, audit and remuneration committees of the board

Senior independent director

CEO, CFO, CRO

Head of internal audit

Heads of key business areas

Group entity senior manager

Chief of operations

FCA population of senior managers (in addition to the PRA population)

Chair of nominations committee of the board

Executive directors

MLRO

Head of Compliance

Other overall responsibility senior managers

Individuals undertaking these roles must:

1. Be assessed as being ft and proper for the role by the fnancial institution.

2. Be approved by the regulator(s) to undertake the specifc role in a specifc fnancial institution (the approval does not carry across to other roles or to other fnancial institutions). This approval may be granted on the basis of a review of the application forms alone, or the regulator(s) may supplement this with one or more interviews of a candidate.

3. Have clear and succinct individual statements of responsibilities. This should include, but not be confned to, an assignment of the “prescribed responsibilities” listed by the regulators. In addition, the fnancial institution should develop a comprehensive and up to date overall “management responsibilities map” that shows how all the individual responsibilities ft together, together with reporting lines and committee structures (indeed, one of the prescribed responsibilities that has to be allocated to a senior manager is the responsibility for maintaining this mapping).

4. Meet the Conduct Rules for senior managers and for all non-ancillary staff (see table on page 6). In particular, senior managers are required to take “reasonable steps” to ensure that the business of the frm for which they are responsible is controlled effectively and complies with relevant requirements and standards of the regulatory system. What is “reasonable” will depend on the specifc facts of any particular situation, but a senior manager must be able to satisfy the regulator that they took ‘reasonable steps’ to avoid any regulatory breach occurring in their area of responsibility.

© 2018 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member frms of the KPMG network of independent frms are affliated with KPMG International. KPMG International 4 provides no client services. No member frm has any authority to obligate or bind KPMG International or any other member frm third parties, nor does KPMG International have any such authority to 4

obligate or bind any member frm. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Evidence to meet the “reasonable steps” test

Structure

Governance framework

Policies and procedures

Reporting lines

Committee memberships

Execution

Systems and controls in place

Appropriate delegations

Active management

Proactive participation in committees

Information

Management information

Regular reporting

Minutes of meetings

Incident/breach escalation

Regulatory correspondence and meetings/interviews

Non-executive directors

Challenge of the executive

Forward looking and proactive approach

Regular and effective meetings of the board and board committees

Competent and active members of the board and board committees

Suffcient management information to assess risks and signifcant business activities

Certifcation Regime

The objective of the Certifcation Regime is to ensure that customer-facing and risk-taking staff below the level of senior managers are ft and proper, take personal responsibility for their actions, and meet the Conduct Rules that apply to all non-ancillary staff (see table below).

The population of staff covered by the Certifcation Regime is determined by the fnancial institution, but must include staff defned by the regulators to be material risk takers or in a position to cause “signifcant harm”. A fnancial institution must assess annually and certify that individuals in scope are ft and proper, in terms of their qualifcations, training, competencies and personal characteristics. It must also carry out enhanced background checking when employing staff in these roles, including regulatory references from past employer(s) over the previous six years of the individual’s employment history.

Meeting these obligations under the Certifcation Regime is itself a prescribed responsibility that must be assigned to a senior manager.

Conduct Rules

In addition to the specifc Conduct Rules for senior managers a further set of Conduct Rules is applied to all non-ancillary staff.

Conduct Rules specifcally for Senior Managers

SM1 - You must take reasonable steps to ensure that the business of the frm for which you are responsible is controlled effectively

SM2 - You must take reasonable steps to ensure that the business of the frm for which you are responsible complies with relevant requirements and standards of the regulatory system

SM3 - You must take reasonable steps to ensure that any delegation of your responsibilities is to an appropriate person and that you oversee the discharge of the delegated responsibility effectively

SM4 - You must disclose appropriately any information of which the FCA or PRA would reasonably expect notice

Individual Conduct Rules applicable to all non-ancillary staff

CR1 - You must act with integrity

CR2 - You must act with due skill care and diligence

CR3 - You must be open and cooperative with the FCA, the PRA and other regulators

CR4 - You must pay due regard to the interests of customers and treat them fairly

CR5 - You must observe proper standards of market conduct

Firms must ensure that all persons subject to the Conduct Rules are notifed of the rules, and take all reasonable steps to ensure that those persons understand how the rules apply to them, including the provision of suitable training

Breaches of Conduct Rules must be reported to the regulator


5

03. Experience with the UK regime

The UK’s SMCR and SIMR have had a signifcant impact on banks’ and insurers’ governance frameworks, and to some extent on their culture and behaviours. Some implementation issues have arisen, in particular in more complex groups and the UK subsidiaries of overseas banks and insurers. Supervisory attention has focused primarily on the approval of senior managers, and on checking that fnancial institutions have the main elements of the regime in place.

We focus in this chapter on the experiences of UK banks and insurers with the implementation of the SMCR and the SIMR respectively. This covers how these fnancial institutions have approached the implementation challenge, what has changed in terms of culture and behaviours, the main issues arising, and the focus of supervisors. Some lessons emerge for the further roll-out of the SMCR in the UK and for the introduction of similar regimes in other countries.

Implementation

Culture and behaviour

Complexity and unintended consequences

Supervisory responses


6

Implementation Banks and insurers have taken a wide range of approaches to implementing the SMCR and the SIMR.

At a minimum, some frms have simply “ticked the boxes” by producing sets of individual responsibilities for senior managers and an overall mapping of governance arrangements, not least because these components are essential for gaining approvals for candidates for senior manager roles. Such frms are more likely to fnd that they have not allocated responsibilities with suffcient clarity or to suffciently senior managers, have not focused suffciently on what each senior manager is actually responsible for, have not covered all relevant business functions and activities, and have not provided suffcient information on governance arrangements (including reporting lines and committee structures and memberships).

In most cases, however, frms have gone beyond this and engaged more with the spirit of the new regime. The duty of responsibility on senior managers may have been particularly important in concentrating minds here. Firms at this more active end of the spectrum have taken the opportunity to review their governance arrangements, and to clarify and refresh roles and responsibilities, management information, reporting and escalation routes. These frms have followed some combination of:

• Est ablished SMCR/SIMR programmes with clear leadership and buy-in from the Chair and CEO. Senior leadership has been fundamental in driving willing adoption and adherence.

• Allocated o wnership across a number of key functions with clear roles and responsibilities for meeting each element of the new regime.

• Undert aken a gap analysis of their current state against the SMCR and SIMR requirements.

• R eviewed their current allocation of responsibilities. In most cases this has led to changes in allocation and to a general “cleaning up” and updating of responsibilities, and in some cases to more streamlined and more effective management.

• R eviewed governance structures, including senior manager structures, board and executive committee terms of reference and memberships, and individual and committee reporting lines. This has led to an overhaul of the governance framework in some frms.

• De veloped a “reasonable steps” framework to assist in evidencing that senior managers have taken reasonable steps to avoid regulatory breaches.

• R eviewed management information to assist senior managers in discharging their responsibilities. Some frms have overhauled their risk management system as it became clear that management information was inadequate and did not enable some senior managers to gain assurance that necessary systems and controls were in place and were working effectively.

• Enhanced the training and de velopment of current and candidate senior management (including board members), including on the nature and objectives of the SMCR/SIMR.

• Est ablished quality assurance reviews of programme deliverables (for example statements of responsibilities, reasonable steps framework and the frm’s conduct breach methodology).

• Engaged proactively with regulators.

Successful programmes have usually been based on a willingness to use the SMCR/SIMR as an opportunity to reassess the appropriateness and effectiveness of current governance arrangements and to challenge the roles of both individuals and committees. This has facilitated improved governance, and in some cases enabled a degree of rationalisation and simplifcation of governance structures. However, some frms found that because this re-engineering was poorly managed or thought through it resulted in arrangements that were not ft for purpose or were overly complicated or burdensome, requiring further re-working to create an effective and effcient governance framework.

Successful programmes have also usually leveraged templates and documentation that were already in place and sought to align new processes and procedures with existing practices and IT systems, and recognised competing priorities, dependencies (for example with some elements of MiFID 2 and Solvency 2) and stress points.

New entrants to the UK market (subsidiaries and branches of overseas parents, and new UK-headquartered challenger frms) have engaged with the SMCR/SIMR and generally understood the importance of governance framework design and of allocating responsibilities to appropriate individuals, taking into consideration proposed reporting lines and overall responsibility for certain functions and business lines. In some cases this has had an impact on recruitment decisions (for example whether to hire someone with an understanding of the regime and the necessary skills and expertise to discharge their responsibilities appropriately), and on the allocation of responsibilities and reporting lines between the subsidiary or branch and its parent.

One key implementation challenge that has emerged relates to the ownership of the regime and the transition from implementation to business as usual. At the implementation stage, and for the business as usual operation of the senior managers element of the new regime, most frms have allocated ownership to the CEO’s offce. For the business as usual operation of the Certifcation Regime, frms have allocated ownership more evenly between the COO/CEO offce, Compliance and HR. Some frms have underestimated the operational resources required to establish and operate a Certifcation Regime.

The importance of HR, and of an effective working relationship between HR and a frm’s control functions, has become clearer in frms with a large number of certifed persons, where the frm will be responsible for assessing their ftness and propriety on an annual basis, and for conducting enhanced checks at the recruitment stage. Some frms have introduced technology to facilitate data collection, reporting and record keeping in this area. HR functions in some frms are challenging themselves on whether they have the right skills and capabilities to run these regimes on a business as usual basis.

Culture and behaviour Given the timescales required to achieve signifcant and tangible cultural change, the jury is still out on the extent to which the SMCR/SIMR has driven large scale changes in culture. However, there are clearer indications that the regimes have led to improved governance in many banks and insurers.

Senior managers have reviewed and challenged their own personal responsibilities and considered whether these are appropriate. Even where the SMCR/SIMR largely codifed existing responsibilities, a much brighter spotlight has been targeted on senior manager accountability.

© 2018 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member frms of the KPMG network of independent frms are affliated with KPMG International. KPMG International 7 provides no client services. No member frm has any authority to obligate or bind KPMG International or any other member frm third parties, nor does KPMG International have any such authority to 7


Senior managers have become wary of the possible sanctions on them for regulatory breaches in their areas of responsibility, and this has promoted greater control and scrutiny over their respective areas. But, as a result, senior managers have become more empowered by this clarifcation of accountability and delineation of responsibilities.

Similarly, there have been reports that senior managers have become more involved at board, board committee and executive committee meetings, with more active participation and discussion. The downsides of this may be (a) a corresponding decision-making paralysis at lower levels, with lower level management becoming more reluctant to make decisions themselves and escalating more to senior managers and to senior manager level committees; and (b) committees becoming an advisory panel for the (senior manager) chair of the committee.

Some frms have linked to some extent the SMCR/SIMR with other initiatives on culture, values and behaviours. Conduct risk has become better integrated within the overall risk framework, and training on conduct has become more of a business as usual activity than it used to be.

Complexity and unintended consequences

Firms have struggled with the implementation of the SMCR/ SIMR in fve key areas.

First, some frms and senior managers have found it diffcult to understand fully their obligations in a number of areas. Many frms have found it diffcult to defne how far they – and their senior managers – should go to establish that “reasonable steps” have been taken to avoid regulatory breaches, and the extent to which second and third line of defence control functions and internal audit should be involved in monitoring this and providing assurance that the appropriate steps have been taken.

Firms have also struggled with how to interpret some of the prescribed responsibilities such as those relating to culture; with the identifcation and notifcation (internally, and to the regulators) of breaches of the Conduct Rules; and – for the banks, building societies and major investment frms so far subject to the Certifcation Regime – with the identifcation of populations for the Certifcation Regime (including the interpretation of “signifcant harm” and the extent to which roles requiring formal qualifcations should be captured).

A more recent challenge here relates to the roles and responsibilities of a frm’s chief of operations, not least in the context of the many issues for frms emerging from fntech, operational continuity, legacy IT systems and cyber security.

Second, some frms have found it diffcult to establish the identifcation and role of group entity senior managers and the application of the “other overall responsibility” senior manager function. Some banks and insurers with overseas parents have struggled to identify and to allocate a clear set of responsibilities to group level senior managers (including not just business managers, but also in cases where risk and compliance functions are provided in part at parent level), and to defne how responsibilities will be shared with UK-based senior managers within a matrix management structure.

In some cases an overseas parent has been reluctant to designate managers based outside the UK as senior managers, even if they meet the signifcant infuence test. In other cases this has led to a multiplicity of designated senior managers at both parent and subsidiary/branch levels, which can seem disproportionate to the size of the subsidiary/ branch. Further complexity has arisen where an overseas parent operates through both a subsidiary and a branch in the UK, with some senior managers undertaking senior management functions in both UK entities.

Even within the UK, issues have arisen where individuals in an unregulated group entity have a signifcant infuence over one or more regulated entities within the group.

Firms are also often unclear about how many senior managers should be allocated to the group entity senior manager function – some frms may have identifed too many senior managers to this function, and in some cases have identifed managers who are too junior (in both cases this blurs accountability).

Third, frms have faced a series of operational challenges, such as resourcing issues, particularly in Compliance and HR functions; the cost associated with tailored training for different cohorts of senior management and certifcation regime staff; preparing and maintaining documentation, and ensuring consistency between the management responsibilities map and individual statements of responsibilities; communicating the change in an effective way across the entire organisation; and obtaining and providing regulatory references.

Fourth, where branches of European banks are re-authorising as non-EEA branches this has resulted in these branches having to apply the non-EEA Branch SMCR regime, which captures a wider range of senior manager roles and is not specifcally designed with some of the smaller European branches in mind.

Finally, some frms have struggled to implement the SMCR/SIMR at the same time as introducing organisational change as a result of other regulatory requirements (recovery planning, resolution and the ring-fencing of retail banks), Brexit, mergers and acquisitions, or other group restructurings.


8

Supervisory responses

During the transition period in 2016 most of the supervisory scrutiny was on larger banks, investment frms and insurers, many of which were asked to make changes to the designation of senior manager roles, statements of individual responsibilities, and the management responsibilities map. Smaller banks and insurers were generally left to implement the SMCR/SIMR without the same level of scrutiny, except where supervisors were engaged with the frm in other areas, where there were obvious issues in implementation, or where new candidates were nominated for senior manager roles.

On a more steady state basis, supervisors will usually review individual statements of responsibilities and the frm’s management responsibilities map in preparation for meetings with senior management. Supervisors may also use meetings with senior managers to test how well the SMCR/SIMR has been embedded. This may highlight inadequacies that need to be addressed.

For example, in some cases management responsibility maps have been criticised by supervisors for being too complex and unwieldy, making them not only hard to navigate but also diffcult to maintain as live documents. In other cases frms have been requested to provide more detail in management responsibility maps on governance arrangements, particularly their interactions with parent frms and group arrangements more generally (for example where senior executive remuneration is determined by a group-level remuneration committee, or where IT and other infrastructure issues are owned and managed at group level).

Supervisors have also sometimes asked for additional rationale for allocations of responsibilities that do not appear to be ‘standard’.

Other areas in which supervisors have expressed an interest include:

• c hallenging frms where senior manager roles have not been allocated to the most senior relevant individual in the frm (the supervisors refer to this as ‘juniorisation’);

• c hallenging frms where global heads based in the UK have not been designated to be senior managers;

• requesting inf ormation on certifcation arrangements, and even requesting frms to undertake an internal audit on their application of the Certifcation Regime;

• indicating concern where responsibilit y for fnancial crime has been allocated to a money laundering reporting offcer who is not of suffcient seniority, or has been split across individuals; and

• requesting that frms present inf ormation about the way in which different entities might be linked from a governance perspective (especially in the event of matrix management, where individuals have dotted reporting lines into other entities).

The PRA and FCA also now have much greater insight and clarity on regulatory breaches as a result of the reporting and notifcation requirements in the SMCR/SIMR.These data are likely to inform future supervisory and thematic activity across frms and sectors.

Finally, the SMCR/SIMR is likely to be reinforced over time through enforcement actions against senior managers. For example, the FCA’s May 2018 enforcement notice against the CEO of a major UK banking group made specifc reference to the role of a CEO within the SMCR and to Individual Conduct Rule 2 (acting with due skill, care and diligence).

© 2018 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member frms of the KPMG network of independent frms are affliated with KPMG International. KPMG International provides no client services. No member frm has any authority to obligate or bind KPMG International or any other member frm third parties, nor does KPMG International have any such authority to obligate or bind any member frm. All rights reserved.The KPMG name and logo are registered trademarks or trademarks of KPMG International.

99

04. UK next steps The SMCR is being rolled out to most regulated frms in the UK. This will extend to almost all regulated frms the core elements of the SMCR, as described in Chapter 2 of this paper – senior manager roles and statements of responsibility, the duty of responsibility on senior managers, the Certifcation Regime, and the Conduct Rules. Near fnal rules for this extension were published in July 2018.

Insurers

Insurers will be subject to the full set of SMCR requirements from 10 December 2018. This will extend the current SIMR and modifed approved person requirements currently being applied to insurers by the PRA and FCA respectively. In particular, this extension will:

• apply the statutory duty of responsibility to senior managers

• require Solvency 2 insurers and large non-Directive insurers to take all reasonable steps to ensure that a senior manager is provided with all the information and materials they would reasonably expect in order to perform a new senior management function

• require insurers to assess and certify (annually from December 2019) the ftness and propriety of staff covered by the Certifcation Regime (including staff capable of causing signifcant harm to the frm or its customers)

• require all Certif ed staff to meet the Conduct Rules from 10 December 2018, and for all non-ancillary staff to do so from December 2019.

Solvency 2 insurers and large non-Directive frms will need to submit a conversion notifcation, statements of individual responsibilities and a management responsibilities map to the FCA to convert existing approved individuals to new senior management roles. However, individuals will not have to re-apply for approval if the proposed senior management roles can be mapped directly from the modifed approved persons regime. The PRA requires no re-approval in transitioning from the SIMR.

Individuals at small insurers not covered by Solvency 2, at insurers in run-off, or at an insurance special purpose vehicle, will be converted automatically from their current modifed approved person functions to the corresponding senior manager roles.


10

Other regulated frms

Most other regulated frms will be subject to the SMCR from 9 December 2019, although for these frms the Certifcation Regime will not be fully operational until December 2020 (when these frms will be required to certify relevant employees as being ft and proper for the frst time). All regulated frms will be subject to most elements of the SMCR, including statements of responsibility for senior managers, the duty of responsibility on senior managers, criminal record checks for the approval of a senior manager, the Certifcation Regime for staff who could cause signifcant harm to the frm or its customers, ft and proper requirements and regulatory references for senior managers and staff covered by the Certifcation Regime, and the Conduct Rules for senior managers and for all non-ancillary staff.

There are also some adjustments for specifc types of frm. For example, asset managers will be subject to the additional requirement to identify a senior manager (this is expected to be the Chair of the board) with overall responsibility for overseeing the ‘value assessment’. And the Certifcation Regime will be extended to cover functions subject to qualifcation requirements such as investment and mortgage advisers, the client dealing function, CASS oversight, proprietary traders, algorithmic traders, and any manager (other than a senior manager approved under the Senior Manager Regime) of staff covered by the Certifcation Regime.

However, some proportionality is being introduced through categorising frms as enhanced, core or limited scope (see table below), and by applying differentiated requirements to each type of frm. So, for example, while enhanced frms will be subject to essentially the same SMCR requirements as apply to banks and insurers, core and limited scope frms will have to designate senior managers to a much narrower set of roles, will be subject to a shorter list of prescribed responsibilities (none for limited scope frms), will not be required to produce management responsibility maps, and will not be subject to handover procedures.

Categorisation of frms

Enhanced Firm

Firms with annual regulated revenue generated by regulated consumer credit lending of £100 million or more per annum (three year rolling average)

Signifcant investment (IFPRU) frms

Large CASS Firms

Firms with assets under management above £50 billion (three year rolling average)

Firms with total intermediary regulated business revenue of £35 million or more per annum (three year rolling average)

Mortgage lenders and administrators that are not banks with 10,000 or more regulated mortgages outstanding

Other frms allocated to this category by the regulator

Core Firm

All frms not allocated to the enhanced frm or limited scope frm categories

Limited Scope Firm

Firms that currently have a limited application of the Approved Persons regime, including:

Limited permission consumer credit frms

Sole traders

Authorised professional frms whose only regulated activities are in non-mainstream regulated activities

Service companies

© 2018 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member frms of the KPMG network of independent frms are affliated with KPMG International. KPMG International 11 11provides no client services. No member frm has any authority to obligate or bind KPMG International or any other member frm third parties, nor does KPMG International have any such authority to


05. The wider international context

Other countries are also introducing measures to reinforce individual accountability for senior managers, and in some cases codes of conduct applicable to a wider range of staff. These measures are broadly similar to the UK SMCR, although the details vary across countries. In addition, the Financial Stability Board (FSB) has highlighted the importance of individual responsibility and accountability in a recent paper on strengthening governance frameworks to mitigate misconduct risk.


12

01

04

02

03 05 06

07

01 Hong Kong The Securities and Futures Commission (SFC) introduced the Manager-in-Charge (MIC) regime in October 2017, following a six-month

transition period. It is intended to drive better decision-making, and to heighten awareness of individual senior manager accountability, regulatory obligations and potential liabilities.

The SFC requires licensed corporations to appoint a MIC as the person primarily responsible for each core function – overall management oversight, key business lines, operational control and review, risk management, fnance and accounting, IT, compliance, and AML and counter-terrorist fnancing. A single individual may be the MIC for more than one of these functions if this is appropriate for the size and nature of the frm, or two or more individuals may be appointed to manage a specifc core function.

There may be some overlap with directors and responsible offcers, who together with MICs are regarded by the SFC as constituting the senior management of a licensed corporation.

Senior management is expected to meet the obligations set out in various SFC codes and guidelines. In particular, the senior management of a licensed corporation should bear primary responsibility for ensuring the maintenance of appropriate standards of conduct and adherence to proper procedures; should manage properly the risks associated with the business of the corporation; and should be ultimately responsible for the adequacy and effectiveness of the corporation’s internal control systems.

Licensed corporations are required to submit to the SFC an organisational chart depicting their management and governance structure, business and operational units, and key human resources and their respective reporting lines (this should cover all MICs engaged by the corporation), and to notify the SFC of any changes in their appointment of MICs.

The SFC intends to conduct a thematic review of licensed corporations’ management structure and effectiveness, including board governance and the responsibilities of MICs and how they discharge them.

Similarly to the experience in the UK, a number of practical issues have arisen with the implementation of the MIC regime, including MICs operating from outside Hong Kong (and sometimes from different time zones) and the appointment of a deputy in charge; complexities in management information systems to support individual accountability; and how senior management accountability links in with committee structures and the wider agenda for improving culture.

02 Australia The Banking Executive Accountability Regime (BEAR) came into effect for the largest banks in Australia on 1 July 2018, and will come into

effect for other Authorised Deposit-taking Institutions (ADIs) a year later. The regime is designed to make senior executives in banks more accountable for their actions and for the outcomes arising from these actions. It applies to all ADIs and their subsidiaries, and any Australian branches of foreign owned banks.

BEAR requires each ADI to:

– identify its “accountable persons”;

– provide the Australian Prudential Regulation Authority (APRA) with the roles and responsibilities of each accountable person and with accountability maps;

– notify APRA of any changes to accountable persons, responsibility statements and accountability maps, and of any breaches of BEAR;


13

– implement specifc remuneration policies under whichthe ADI would reduce the variable remuneration of anaccountable person if the person did not comply with theiraccountability obligations; and

– comply with any APRA direction to reallocateresponsibilities.

All accountable persons must:

– be registered with APRA; and

– conduct the responsibilities of their position as anaccountable person with honesty and integrity, due skill,care and diligence, to prevent an adverse impact on theprudential standing or reputation of the ADI.

Accountable persons include board members, the CEO, CRO, CFO, COO and CIO, heads of signifcant business units, and heads of compliance, AML, HR and internal audit; and any person that has actual or effective responsibility for management or control because of the position they hold in, or relating to, an ADI.

Similarly to the UK, the introduction of BEAR has put enormous pressure on the banks – from mapping accountabilities and making accountability statements, to reviewing their overarching governance processes. In the absence of prescriptive guidelines, banks have also had to take their own view on how an accountable person can demonstrate due skill or diligence, that reasonable steps have been implemented, and that management information is in place that would alert an accountable person to potential problems.

03 US The Federal Reserve proposed supervisory guidance on management of business lines and independent risk management and controls for

large fnancial institutions in January 2018. This would apply to banks with assets of $50 billion or more, and to systemically important non-banks.

The proposed guidance will form part of the Federal Reserve’s rating system for large fnancial institutions, as a sub-set of governance and controls (the other two parts of which cover board effectiveness and recovery planning).

The objective of the guidance is to delineate the roles and responsibilities of individuals and functions related to risk management – senior management, business line management, management of independent risk management and internal audit – and to set out core principles of effective senior management.

The guidance relates mostly to collective senior management responsibilities (for the core group of individuals directly accountable to the board for the sound and prudent day to day management of the frm). However, specifc expectations are set out for the CRO (to establish and maintain independent risk management appropriate for the size, complexity and risk profle of the frm) and for the Chief Audit Executive (to establish and maintain internal audit appropriate for the size, complexity and risk profle of the frm).

at

TMoradoeTa

F

–

–

–

–

–

–

–

04


14

Singapore The Monetary Authority of Singapore (MAS) issued a consultation paper in April 2018 on proposed guidelines on individual accountability

nd conduct, with the intention of fnalising the guidelines by he fnal quarter of 2018.

he proposed guidelines are frmly embedded within the AS’s overall approach to culture and conduct. The objective

f the guidelines is to reinforce fnancial institutions’ esponsibilities in three key areas – promoting the individual ccountability of senior managers (the proposed guidelines o not apply to non-executive directors); strengthening theversight of employees in material risk functions (MRF); and mbedding standards of proper conduct among all employees. he guidelines would apply to banks, insurers, securities frms nd fnancial market infrastructures.

inancial institutions will be required to:

identify senior managers who have responsibility for themanagement and conduct of functions that are core to thefrm’s operations (actual oversight and decision makingresponsibilities, irrespective of location);

ensure that senior managers are ft and proper, and are heldresponsible for the actions of their staff and the conduct ofbusiness under their purview;

demonstrate that senior managers are ft and proper;

seek MAS approval for CEOs and other senior managers;

establish and maintain a governance framework thatis supportive of and conducive to senior managers’performance of their roles and responsibilities, with clearoverall management structure and reporting relationships;

ensure that MRF employees are ft and proper for theirroles, and are subject to effective risk governance, oversightand appropriate standards of conduct and incentives; and

promote and sustain the desired conduct among allemployees, based on the expected standards of conductset out in the guidelines.

05 Ireland The Central Bank of Ireland has announced that it is considering the possible introduction of a senior manager accountability framework for fnancial

institutions in Ireland, in part in response to the conduct issues that have arisen with tracker mortgages in Ireland. The Central Bank is looking at the experience of the UK to assess the implications of introducing a senior manager accountability regime.


15 15

06 ECB Although the European Central Bank (ECB) has not introduced an individual accountability regime as such, internal governance and risk

management are key supervisory responsibilities for the ECB and failings in these areas drive the highest scores under the ECB’s supervisory review and evaluation of banks. The ECB and the European Banking Authority (EBA) has published guidance on internal governance, and on ft and proper assessments of individuals.

07 FSB The FSB published in April 2018 a “toolkit” to strengthen governance frameworks to mitigate misconduct risk in both retail and

wholesale markets. This supplements earlier FSB work on risk governance, remuneration, benchmark setting and culture; and an earlier FSB stocktake of efforts by international bodies, national authorities, industry associations and frms to strengthen governance frameworks to reduce misconduct risk.

The FSB’s toolkit focuses on three main areas - cultural drivers of misconduct; individual responsibility and accountability; and the “rolling bad apples” phenomenon, whereby individuals who engage in misconduct are able to obtain subsequent employment elsewhere without disclosing their earlier misconduct to their new employer.

The toolkit relating to individual responsibility and accountability is very similar in approach to the UK’s SMCR and the Hong Kong SFC’s Manager-In-Charge Regime. The toolkit calls for supervisory authorities to develop a framework that identifes key responsibilities in a frm, including for the mitigation of the risk of misconduct; allocates these responsibilities to specifc individuals; and holds individuals accountable for the responsibilities to which they have been assigned.

This may have a signifcant impact on supervisors and frms that have previously focused more on the collective responsibility of a frm’s Board or senior management.

06. How KPMG can help

KPMG member frms have spent the last fve years helping banks, building societies, major investment frms and insurers on the design and implementation of individual accountabilities programmes so that they can meet the requirements of the SMCR and SIMR. More recently these skills and experience have been exported to other jurisdictions who have implemented similar regimes.

KPMG professionals have a deep understanding of the SMCR. They have worked with a range of banks, building societies, major investment frms and insurers to support the design and implementation of SMCR/SIMR readiness programmes, and to identify and address the typical SMCR/SIMR challenges/issues that arise across governance, people, process and technology.

KPMG member frms are also now increasingly involved with insurers, asset managers, consumer credit and other types of frms as the SMCR is rolled out in the UK to all regulated frms.


16

1. Design and implementation

• Linking accountability regime implementation to wider initiatives such as governance effectiveness and cultural change

• Drafting role profles and individual statements of responsibility

• Developing management responsibilities maps and ensuring overall consistency

• Formulating individual responsibility policies and procedures

• Conduct Rules training and awareness

• Development and implementation of technology solutions to aid compliance

• Preparations for senior manager approval interviews, handover meetings, fles and induction

• Record keeping

2. Reasonable steps

• Review and design of frameworks to support senior managers taking reasonable steps to avoid regulatory breaches

• Workshops to review, implement and embed a reasonable steps approach

• Gap analysis against regulatory expectations and peers

• Conducting ‘scenario analysis’ testing to ensure the outcomes are effective and as intended

• Continuing reasonable steps assurance

3. Assurance

• Conducting a gap analysis against regulatory requirements and industry standards

• Review of policies and procedures – for both implementation and business as usual

• Internal audit support

• Business as usual operational effectiveness reviews, including board effectiveness reviews

4. Remediation

• Providing support to deliver requirements following feedback from supervisors

• Providing support to deliver requirements from the outcomes of post-implementation internal audit reviews or other external assurance reviews

© 2018 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member frms of the KPMG network of independent frms are affliated with KPMG International. KPMG International 1717 provides no client services. No member frm has any authority to obligate or bind KPMG International or any other member frm third parties, nor does KPMG International have any such authority to

obligate or bind any member frm. All rights reserved.The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Contacts

David Miller Partner Insurance KPMG in the UK e. [email protected]. +44 20 7694 2253

David Yim Partner Insurance and Asset Management KPMG in the UK e. [email protected]. +44 20 7311 5973

Maxim Lewis Senior Manager Financial Risk Management KPMG in the UK e. [email protected]. +44 113 231 3594

Suvro Dutta Partner Banking KPMG in the UK e. [email protected]. +44 20 7311 1466

Rebecca Irving Regulatory Manager Financial Risk Management KPMG in the UK e. [email protected]. +44 20 3078 3757

Clive Briault Senior Adviser EMA Financial Services Risk and Regulatory Insight Centre KPMG in the UK e. [email protected] t. +44 20 7694 8399

James Lewis Head of EMA Financial Services Risk and Regulatory Insight Centre KPMG in the UK e. [email protected]. +44 20 73114028

kpmg.com/individualaccountability

© 2018 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member frms of the KPMG network of independent frms are affliated with KPMG International. KPMG International provides no client services. No member frm has any authority to obligate or bind KPMG International or any other member frm third parties, nor does KPMG International have any such authority to obligate or bind any member frm. All rights reserved.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Designed by CREATE | July 2018 | CRT100536A

mailto:[email protected]







https://home.kpmg.com/xx/en/home/insights/2018/07/individual-accountability.html

https://twitter.com/kpmguk

https://www.linkedin.com/company/1080

Contact us accountability · Parliamentary Commission on Banking Standards. The Parliamentary...

Documents

Transcript of Contact us accountability · Parliamentary Commission on Banking Standards. The Parliamentary...